QUESTION & ANSWER

VoIP security needs to be a 'no-brainer'

By Andrew R. Hickey, News Writer 18 Jul 2006 | SearchVoIP.com

Digg This!     StumbleUpon     Del.icio.us

SearchVoIP.com recently spoke with Seshu Medhavapeddy, a VoIP security expert and CEO of VoIP security vendor Sipera Systems, about hacking and other threats to VoIP systems and how to combat threats before it's too late. The following are excerpts from that conversation.

What does this recent hacking show about the state of VoIP security?
Seshu Medhavapeddy: It shows that VoIP as an application on the Internet is no different than any other application, like email, that has preceded it on the Internet in terms of attacks. Across the board, when you introduce a new application, there's a soft underbelly. With VoIP, its openness and ease of use open it up to attacks.

What is it that draws hackers to VoIP?
Medhavapeddy: You have to look at the psychology of hackers. They're motivated by three different things. They're motivated by just causing disruptions. They're motivated by the profit model. And they're motivated by extortion. It's either just for kicks or for profit. All three score very high on the list. All three counts are attractive to hackers.

VoIP is now just crossing the threshold from an obscure, nerdy tool on the Internet to a mainstream application. It's such a critical application that more and more hackers will take notice.

The phone system is money to a lot of enterprises and service providers. Taking it down in any way can cause a lot of damage. We should be more vigilant in securing VoIP systems

For more on VoIP Find out why experience is the best VoIP security teacher Read why you shouldn't always believe the VoIP security hype Check out Zeus Kerravala's VoIP management column

How concerned should enterprises be about the potential for attacks?
Medhavapeddy: Very concerned, because there's evidence now that this is happening. One of the things people think is that VoIP is a complex application, and certainly it is. There is a level of expertise and knowledge that [hackers] need. But thinking that the complexity will stop them is a very naïve view. Hackers are very smart. Never underestimate the enemy.

[Stories about the arrest of the pair of hackers] blew the top off the myth that VoIP is immune to attacks because of its complexity.

What should be an enterprise's first step toward protecting its VoIP system?
Medhavapeddy: You should do an assessment about how vulnerable you really are. Assess your level of risk.

You need to start using specialized security products that protect VoIP applications and deploy those in your network.

You need to start using encryption techniques.

There are techniques in the tool box that differ from other Internet security tools.

Is there any way to detect these attacks early, before there is a noticeable problem?
Medhavapeddy: [Sipera has] done an incredible amount of research on VoIP and how it works. But we've looked at it through the prism [of] the eyes of a hacker.

We've come up with taxonomy of vulnerabilities that you could attack and exploit, and we focused on exploits that can't be caught by existing security solutions for data protection.

What we do is, we say to enterprises: "You already have a security system to protect your Web applications and to protect your data applications, but there are a host of vulnerabilities in your VoIP system that your security systems are oblivious to." VoIP is a very different application than any other application on the Internet. It's real-time and mission-critical. Attacks on VoIP can be more damaging than attacks on other applications.

What's your advice for an enterprise that has rolled out or is considering rolling out VoIP?
Medhavapeddy: I would tell them: "You're doing VoIP for all of the right reasons. It's a powerful collaboration and productivity tool. And it is cost effective.

"But you have to learn from history. Look at what has happened and anticipate that you'll be attacked. Realize that you have to take proactive steps."

There are very good solutions to protect you and make your VoIP system secure. Make security a Day 1 item as you deploy this application.

Let's say a new enterprise is starting and they're creating an intranet. It's a no-brainer that they're going to use a firewall to protect it. VoIP has not yet reached that point where security is a no-brainer.

Tags: VoIP QoS and VoIP Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT VoIP QoS and VoIP Security VoIP implementation study guide How will VoIP impact the quality of phone calls on our network? How does one cope with echo in a VoIP-enabled network? What's the best way to use an echo canceller? Does implementing VoIP security affect the QoS? How would one handle it, if it does? IBM, Avaya deals signal IP telephony quality control's coming of age Ensuring voice and video quality about more than watching packet flows Security concerns for enterprise Skype VoIP service selection: MPLS, VPLS or Metro Ethernet? Microsoft's Real-Time Codec (RTC) for VoIP optimization Disaster and recovery in the VoIP/IPT RFP

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary